Details
-
Bug
-
Resolution: Done
-
Major
-
jboss-fuse-6.1
-
None
-
%
Description
- JBoss Fuse 6.1 is authenticated when provided with no password. For bad/invalid password login fails.
- Issue is fixed with higher version of karaf and is logged in community JIRA https://issues.apache.org/jira/browse/KARAF-3119.
- In Fuse 6.2 karaf version is 2.4 where this particular property is available
public final static String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords";// which is set to false by default. .... allowEmptyPasswords = Boolean.parseBoolean((String) options.get(ALLOW_EMPTY_PASSWORDS)); .... if ((!"none".equals(this.authentication)) && (!this.allowEmptyPasswords) && ((tmpPassword == null) || (tmpPassword.length == 0))) { throw new LoginException("Empty passwords not allowed"); }
- Being a security threat similar implementation would be needed in jboss-fuse-6.1 as well. Checked with latest patch but this fix is not available.
